Google patches second Chrome zero-day in two weeks

Google Chrome 86.0.4240.183 available for download. Patches 10 security bugs, including an actively-exploited zero-day.

Chrome

Image: Google

Google has released a security update today for its Chrome web browser that patches ten security bugs, including one zero-day vulnerability that is currently actively exploited in the wild.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It's the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

Identified as CVE-2020-16009, the zero-day was discovered by Google's Threat Analysis Group (TAG), a security team at Google tasked with tracking threat actors and their ongoing operations.

In typical Google fashion, details about the zero-day and the group exploiting the bug have not been made public — as a way to allow Chrome users more time to install the updates and prevent other threat actors from developing their own exploits for the same zero-day.

However, in a short changelog published today, Google said the zero-day resides in V8, the Chrome component that handles JavaScript code.

Chrome users are advised to update their browser to version 86.0.4240.183 or later.

Second zero-day in two weeks

This is the second Chrome zero-day that Google found exploited in the wild in the past two weeks.

On October 20, Google also released a security update for Chrome to patch CVE-2020-15999a zero-day in Chrome's FreeType font rendering library.

As Google revealed last week on Friday, this Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087).

The Chrome zero-day was used to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code's privileges and attack the underlying Windows OS. Microsoft is expected to patch this zero-day on November 10, during the company's next Patch Tuesday.

Google didn't clarify if these two zero-days were abused by the same threat actor.

Update: Third zero-day also disclosed

Five hours after this article went live, Google also released patches for a third zero-day.

Unlike the first two, this one impacted only Chrome for Android versions.

Tracked as CVE-2020-16010, this zero-day is a heap buffer overflow vulnerability in the Chrome for Android user interface (UI) component, and users can protect themselves by updating Chrome for Android to version 86.0.4240.185.